Accepted nodejs 10.24.0~dfsg-1~deb10u2 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted nodejs 10.24.0~dfsg-1~deb10u2 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 05 Oct 2022 10:40:22 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: nodejs_10.24.0~dfsg-1~deb10u2_source.changes
- Debian-source: nodejs
- Debian-suite: oldstable
- Debian-version: 10.24.0~dfsg-1~deb10u2
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=uwC2RipTIKAv0Osxtnpn8+61LUYY5JEJ1VVJmRl1CAM=; b=NwQlHlpDc5fjN+flqlsq90vJJz vL3ehnAL3BXGSNkoVtn4mDwjD5b0nZKLAl2kB6AI7t5Qi/dsPQ4N6DBJqJXi0AyP8zitx7DNkGcB+ X+EiBwDng1kWO3CrpROFkicYrcaFV03yT8pJw38g6irWaDQJKMUqdwfG7Bj338+mdu3WW1yPoEWVa 2WCIu5n3muaMYsEvKRbg7xPt79zFHScoX+/XE2v6xoCgHB7lnN/T7dCUosmkFXnl1FNDhNDMf4cG+ xtB5jl/yHj/+FrObnW5iUi/0XgSULMpwDCm86ROnPqPs2B1vq3LnuzAB9Bon5CNCoWLPzkvmawy6y 7EzRDZXA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1og1p8-000KXv-Kd@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 04 Oct 2022 19:34:15 +0200
Source: nodejs
Architecture: source
Version: 10.24.0~dfsg-1~deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Sylvain Beucler <beuc@debian.org>
Changes:
nodejs (10.24.0~dfsg-1~deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* Fix test suite failures (expired certificate; testing as root)
* CVE-2021-22930, CVE-2021-22940: use after free attack where an
attacker might be able to exploit the memory corruption, to change
process behavior.
* CVE-2021-22939: if the Node.js https API was used incorrectly and
"undefined" was in passed for the "rejectUnauthorized" parameter, no
error was returned and connections to servers with an expired
certificate would have been accepted.
* CVE-2022-21824: due to the formatting logic of the "console.table()"
function it was not safe to allow user controlled input to be passed
to the "properties" parameter while simultaneously passing a plain
object with at least one property as the first parameter, which could
be "__proto__".
* CVE-2022-32212: OS Command Injection vulnerability due to an
insufficient IsAllowedHost check that can easily be bypassed because
IsIPAddress does not properly check if an IP address is invalid before
making DBS requests allowing rebinding attacks.
Checksums-Sha1:
12040fbc8b320dc55d0019b51725be2b77561ffd 3032 nodejs_10.24.0~dfsg-1~deb10u2.dsc
9531e225d78ab87a2a9256ef6e369063c32d9f10 111872 nodejs_10.24.0~dfsg-1~deb10u2.debian.tar.xz
dfaf6996c02f26db006299f89e87d66dbac332cf 8616 nodejs_10.24.0~dfsg-1~deb10u2_amd64.buildinfo
Checksums-Sha256:
9c3e1e8011da8ef7fcd1639ee810cfad566bb79a3abd659c34cb4bcd358217fb 3032 nodejs_10.24.0~dfsg-1~deb10u2.dsc
06e9c1a0e8ff9e648ac3bdc1878b954ec961e779665bf3dc84f7f8c2981955d3 111872 nodejs_10.24.0~dfsg-1~deb10u2.debian.tar.xz
b1d53f8554a95232e7396235b83a9a364f0331e6699fed2dec9bfcd9bf616d2a 8616 nodejs_10.24.0~dfsg-1~deb10u2_amd64.buildinfo
Files:
a3b063bcba714dccc48899f5597c2341 3032 javascript optional nodejs_10.24.0~dfsg-1~deb10u2.dsc
efb1b92f28f32d3bc5c638c10a7e4ced 111872 javascript optional nodejs_10.24.0~dfsg-1~deb10u2.debian.tar.xz
f3187b54dc647aed41456da47b739884 8616 javascript optional nodejs_10.24.0~dfsg-1~deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmM9VJcACgkQDTl9HeUl
XjB6RxAAoczwnshBhz8Mu+PoXepytewaQypQJsukiCICTRsU4OFcscxphNjukOY1
9SdC9SWDM85r4lo3is6fGRO01KL/wRRy1TW5+GncmFGuBNL4fmWB7eSbyfsZ/wqD
uFKpXWS3R5oBZA1+jhlvECao+525kUZq0Vbe8ftABm3BJgAANcphncrEg93/f2JA
03PeUhzpJj7raXyEpAaraOeUvaUsWlT2qWIVfDIsjeeKjC+MV532Gv0NddmLJpUj
MQ7zVCehUDaEYBSQFVMsBzZ3ZD1ycJMv5efeZcgxh4K8NZebaxbWuIcnl/AJlWgo
8mxvFp2GIhm5/G5dBDHIrAq7V0LOv3BjijuWqduPJucsNBCo7BeCi+PpXbpgSgQR
E2ovV7fKWez9iv5eFeqDRK7SfMcZ4tkcA/L7zpKo+qY5tliR2KkpY3SoNM5zQiDA
xDHEwNkXpqCmLQwZLqHaShs8iAYYpS8Yumj+L3407B+79xy9Dvo8GmIOQt9bc3VR
5rp+YQUcc8/K5xzZ4niEJmzHhMfR4isKsf/ASsRuRrKkIlqyJ1WuIIorPHC2R5eW
cjYYT5uvZRVvuqgTi3JMCTpdm853/1AZSyPobzWwIiqYazow5WC8P55pyEt9kw2n
SappWrxxJTjN64EPDmjlLmuE/T+Yp+ZXNYso57a5wwEupbLQg6w=
=pMzx
-----END PGP SIGNATURE-----